Secure Coding Dojo: platform for delivering secure coding training

the Secure Coding Dojo

The Secure Coding Dojo is a platform for delivering secure coding training. While it comes with its own vulnerable training application (the Insecure.Inc website) the training portal can be used in conjunction with other training applications. The strength of the platform is its extensibility and the integration with the commonly used development collaboration platform Slack. The training portal can be easily set up in the cloud and instructions for AWS ELB setup are available below.

Why Another Security Training Site?

While open source training sites to teach application security concepts are not new the target audience for these sites has been pen-testers and ethical hackers. The Secure Coding Dojo is primarily intended as a delivery platform for developers and here’s why:

  • It integrates with Slack for authentication
  • It allows grouping of participants according to their development teams
  • It allows teams to track progress and compete with each other
  • Each lesson is built as an attack/ defence pair. The developers can observe the software weaknesses by conducting the attack and after solving the challenge they learn about the associated software defences (code blocks)
  • The predefined lessons are based on the MITRE most dangerous software errors (also known as SANS 25) so the focus is on software errors rather than attack techniques
  • The predefined hacking challenges are created for entry-level and keep the developers engaged
    • Other training sites or CTFs there is a puzzle aspect to the challenges which is great for pen-tester audiences but can make some developers lose interest. In the Secure Coding Dojo, the focus is on demonstrating the vulnerability.
    • There are tips that help the developers as they are exploiting the issue to avoid getting stuck

Setup

Copyright 2017-2018 Trend Micro